The present disclosure relates to computing systems that employ secure boot of operating systems. More specifically, the present disclosure relates to securing an operating system configuration of computing systems using hardware.
Computing systems have access control policies that can limit the access users have to filesystem objects. An access control policy, for example, can restrict the files a user can modify, or they can prohibit a user from loading a given operating system module. Access control policies can be enforced by the configuration of an operating system executing on a computing system. An operating system configuration, in turn, can be determined by setting kernel parameters corresponding with a given configuration of an operating system kernel before using the kernel to boot a computing system into a state suitable for executing user applications. Once a computing system is booted using a given operating system configuration, the access control policy enforced by the configuration can remain in effect until the computing system is booted under a different operating system configuration, if permitted by the computing system.
Some computing systems enable users to choose from amongst a set of different operating system configurations. A user with a valid account on these computing systems can change an access control policy (or the enforcement of an access control policy) of a computing system by selecting and booting an operating system configuration having a different access control policy that the configuration currently being booted.
It is common for users to remotely access computing systems using account credentials (e.g., a username and password). Users accessing a computing system remotely are usually subject to the same access control policies as users accessing the computing system from a local terminal. Authorized users of a computing system, consequentially, can remotely change the access control policy of the computing system using the process previously described. One artifact of this regime, however, is that unauthorized users who are able to obtain the access credentials of an authorized user to a computing system can also remotely change the access control policy of the computing system, possibly elevating their access privileges on the computing system.
In view of the foregoing, there is a need for techniques to enable a user of a computing system to choose from amongst a set of different operating system configurations and have assurance that the chosen configuration has not been modified, changed or otherwise tampered with before the chosen configuration is booted on the computing system.